This article covers how to utilize a template to create a macOS command that runs as a logged in user remotely via JumpCloud Commands.
Only perform the following steps if you're familiar with bash/zsh or Shell scripting. Proceed with caution.
Understanding the Shell Script
The following section breaks down the major blocks within the script and what each line performs on the target device. To skip to the fully compiled script, see Compiled Script Example.
The first block gets the current logged in username and assigns it to the $localuser variable:
localuser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
Then you can leverage the newly created $localuser variable by either copying the script as a file to the endpoint and calling it from the command:
sudo -u "$localuser" /bin/bash "/path/to/script.sh"
or by using a block of code:
localuser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
sudo -u "$localuser" zsh <<EOF
## begin of user scoped code block
say "This is a test of the localuser script."
echo -e "\a"
## end of code block
EOF
When you run a script that switches to user context as in the previous example, you may receive notifications from macOS Sandbox that access to the current directory is blocked.
”shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied”
To address this, set the current working directory of the script to a non-sandboxed location with a line like cd /Users/Shared
at the beginning of the script.
Compiled Script Example
The following example script assumes bash or zsh shells. Ensure you have #!
line within the terminals of the target macOS device(s).
To utilize the template, insert your code to run as the logged in user between these lines:
## begin of user scoped code block
## end of code block
#!/bin/bash
cd /Users/Shared
sleep 1 ## if running on login event - allows ConsoleUser value to settle
localuser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
## If no user is logged in, notify and exit gracefully.
if [ -z ${localuser} ]; then
echo "No user is currently logged in."
exit
fi
## Execute block of code as the currently logged in user.
sudo -u "$localuser" /bin/bash <<EOF
## begin of user scoped code block
mkdir /Users/$localuser/Applications
mkdir ~/AnotherDir
## end of code block
EOF
Creating the JumpCloud Command
After you've verified your script using the template, you can insert the code into a JumpCloud Command to deploy it to your macOS devices remotely.
To create the JumpCloud Command:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Commands.
- Click ( + ), then choose Command.
- On the Details tab, enter a name for the new command. This is the name shown in the sortable list view of commands.
- For Type, select Mac.
- Under Run As user, select root.
- In the Command field, paste the contents of the script you created using the template.
For details on all available JumpCloud Commands settings, see Get Started: Commands.
- Select the Device Groups tab to set the specific device groups where this command will execute.
- Select the Devices tab to set the specific devices where this command will execute.
- Click Save.
- Run the command by clicking Run Now on the Commands page.
- After the command runs, go to the Results tab and click View on the associated command to view the log.